Я получаю приведенную ниже ошибку при получении ответа SAML за LoadBalancer. org.opensaml.common.SAMLException: элемент NameID должен присутствовать как часть Subject в сообщении Response, пожалуйста, включите его в конфигурации IDP. Я вижу, что NameID присутствует в Subject. Получаю ошибку. Может ли кто-нибудь помочь с этим?
SAML Request :
==============================================================
14:17:45,872 INFO [org.springframework.security.saml.log.SAMLDefaultLogger] (default task-24) AuthNRequest;SUCCESS;10.23.219.2;https://icmhub02.hk.standardchartered.com:449/SECUI/saml/SSO;ssohkidp;anonymousUser;<?xml version="1.0" encoding="UTF-8"?><saml2p:AuthnRequest `enter code here`xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://icmhub02.hk.standardchartered.com:449/SECUI/saml/SSO" Destination="https://devigmfa.hk.standardchartered.com:8443/openam/SSOPOST/metaAlias/sso/idp4" ForceAuthn="false" ID="a5522f4775bfgb3444c6ji9fj9d01j2" IsPassive="false" IssueInstant="2020-04-19T06:17:45.802Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://icmhub02.hk.standardchartered.com:449/SECUI/saml/SSO</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#a5522f4775bfgb3444c6ji9fj9d01j2"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>cnSTmgE0PnfqDP65kRJFq/3nw+s=</ds:DigestValue></ds:Reference></ds:SignedInfo></ds:Signature><saml2p:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/></saml2p:AuthnRequest>;
SAML RESPONSE :
==============================================================
14:20:10,728 INFO [org.opensaml.common.binding.security.SAMLProtocolMessageXMLSignatureSecurityPolicyRule] (default task-54) SAML protocol message was not signed, skipping XML signature processing
14:20:10,821 WARN [org.apache.xml.security.signature.XMLSignature] (default task-54) Signature verification failed.
14:20:10,823 INFO [org.springframework.security.saml.log.SAMLDefaultLogger] (default task-54) AuthNResponse;FAILURE;10.23.219.2;https://icmhub02.hk.standardchartered.com:449/SECUI/saml/SSO;ssohkidp;;<?xml version="1.0" encoding="UTF-8"?><samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://icmhub02.hk.standardchartered.com:449/SECUI/saml/SSO" ID="s2bfa2e6f47054b210257909cdf2c5d53c365533a4" InResponseTo="a5522f4775bfgb3444c6ji9fj9d01j2" IssueInstant="2020-04-19T06:20:08Z" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">ssohkidp</saml:Issuer><samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
</samlp:StatusCode>
</samlp:Status><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="s2993bedd41f838e6960f7da888c4eb1da3df4dbd1" IssueInstant="2020-04-19T06:20:07Z" Version="2.0">
<saml:Issuer>ssohkidp</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#s2993bedd41f838e6960f7da888c4eb1da3df4dbd1"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>cNXqWrzVhsTlY3bd60ypXqOh/mnsKFUgXV2YKRX6JzE=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>5cmKCBl869ubHH7zzoCKIFABmFwAu3tmQYjh0vfXvGHb88r8D/iUbnqiOb1NsncMMU9eE3ylo8HekcoCkPd0eJSE41mIxUyw+8xLdHz9rFeUVhfsK37fI5S4cOjhUZdrhKrJYQKAP94gKZ1cIC/G7uUflK7jeVRSWJKkkGwjJPdIQHL8gpM8P9L1XmREcvrKKD9nQ/4aysUYOu+07W6iMdcPiRVrlDmKK7aVtqCk2t0XFrJq1AHKpqOWVGcbP0HfTLPFzg1fm4ZKGTpwX30lnuHDZzs3RNHFgmk9KYTkYwPP90RlQh5CgKlWsj9WNxX6Hrk65VIjWxoLa5yppbAsbg==</ds:SignatureValue><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIGrzCCBJegAwIBAgIIL8TdFkRVK0swDQYJKoZIhvcNAQELBQAwZjELMAkGA1UEBhMCR0IxIDAeBgNVBAoMF1N0YW5kYXJkIENoYXJ0ZXJlZCBCYW5rMTUwMwYDVQQDDCxTdGFuZGFyZCBDaGFydGVyZWQgQmFuayBVQVQgU1NMIENBIEcxIC0gU0hBMjAeFw0xOTA5MjUwNDIzNTFaFw0yMTA5MjQwNDIzNTFaMHMxCzAJBgNVBAYTAlVLMQswCQYDVQQIDAJVSzEPMA0GA1UEBwwGTG9uZG9uMQwwCgYDVQQKDANTQ0IxDDAKBgNVBAsMA1NUUzEqMCgGA1UEAwwhZGV2YW1tZmEuaGsuc3RhbmRhcmRjaGFydGVyZWQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8xTccNaFAFoq0wrYUI10oFCsuRVbQ4HciUZH/JgULVOmkHpHRj9aM/VdlhSRIrzFHomviRjhlle9kboml1yZqaogcIYBcvFv1GYjTDhOLm+dn9wmLbNgIXhq3yWj1hwQ5UrHn1/tCD9GTw5uzICa+GPaBPzlVxXuB6rwGh7P9/9y4oBcXJZzri8sT2kZeNKviEUNbntOxY/BvSv9dqxLNb4OnODZMFguUjd/1x3pFezhQPjnnWWiurCmYp4HNIT5C0R/dgV1NGF/x2xvwmPyt7mJU6T98deXAv3XROGKMTFMA7leQu0UfGi8UjcK7bopHUIg9hCGzGF/9QNoeRvp3QIDAQABo4ICUjCCAk4wYgYIKwYBBQUHAQEEVjBUMFIGCCsGAQUFBzABhkZodHRwOi8vb2NzcHVhdHBraS5oay5zdGFuZGFyZGNoYXJ0ZXJlZC5jb20vZWpiY2EvcHVibGljd2ViL3N0YXR1cy9vY3NwMB0GA1UdDgQWBBQYAiE3dT0lmkwWwwIUAuOOjbLzDjAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFKHnats2NwvaDUbrGz+JG/UqFOZ1MIIBQgYDVR0fBIIBOTCCATUwggExoIHCoIG/hoG8aHR0cDovL2NybHVhdHBraS5oay5zdGFuZGFyZGNoYXJ0ZXJlZC5jb20vZWpiY2EvcHVibGljd2ViL3dlYmRpc3QvY2VydGRpc3Q/Y21kPWNybCZpc3N1ZXI9Q049U3RhbmRhcmQlMjBDaGFydGVyZWQlMjBCYW5rJTIwVUFUJTIwU1NMJTIwQ0ElMjBHMSUyMC0lMjBTSEEyLE89U3RhbmRhcmQlMjBDaGFydGVyZWQlMjBCYW5rLEM9R0KiaqRoMGYxNTAzBgNVBAMMLFN0YW5kYXJkIENoYXJ0ZXJlZCBCYW5rIFVBVCBTU0wgQ0EgRzEgLSBTSEEyMSAwHgYDVQQKDBdTdGFuZGFyZCBDaGFydGVyZWQgQmFuazELMAkGA1UEBhMCR0IwDgYDVR0PAQH/BAQDAgXgMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMBMCwGA1UdEQQlMCOCIWRldmFtbWZhLmhrLnN0YW5kYXJkY2hhcnRlcmVkLmNvbTANBgkqhkiG9w0BAQsFAAOCAgEAaaRltsRyh4SKrCQ7YhcQbuuSbKbDs4UGDf9j8gsytsT3vQbN+oLPaSoo/YLUuSnBH7+6cVz9JmOCgbGZm54eMzLqsTg2Q06zRgFohsaSPM+c8nGxk/3X3gwLNJiRdDpWQ0EA75egwFhbewYfLhA7WMO1kTimR9u7wbWsp/fKuLNCJzsgOJShksgCeKleJMaYHLknNdWaUgGfRSf++0G+2SjHfNM1MVRWe/t9d4yiOadGp07dpVuZtc/qQMejlVUCIosiElYA968JY9NGx3gFqoIpS35IqG0RbR3tXgy4DaAuXBzz/xdgWDbZ/GABR/C8/+7jPxKWVwbbMDdrZ+9iErzKcm6HV1djcyXHBzHB9+z++JFewOsRJmMdYEmkD+kYiMhZ0ENbzOmzAVK2w7orxslyq/AobsB6ca5YxU9sX99oCzXtmWQkPaovR8eD2SKNVUuRRDMB+A+q16JohJF9Gwi/PTfDTs39IUVqSvG7PTBnyBjDXJg/B5+oRIrGDV8UYiVb+VRv9+U3rm+wM4x4n0G+f6ZR0Nn2p0KleXmu65A7ochqWLPYh6kQVTrQIhnhy1WhQn65fdue1MJxDAt/El3vryp+hZNAVKkzcNtSOyfFAr+Ah2CcFMBMQoILLa0NGCyiVKDoTkIt2NvQIjvq19TyXqIn5V39c8eiNFQ/u0o=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="ssohkidp" SPNameQualifier="https://icmhub02.hk.standardchartered.com:449/SECUI/saml/SSO">1575777</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData InResponseTo="a5522f4775bfgb3444c6ji9fj9d01j2" NotOnOrAfter="2020-04-19T06:30:08Z" Recipient="https://icmhub02.hk.standardchartered.com:449/SECUI/saml/SSO"/></saml:SubjectConfirmation>
</saml:Subject><saml:Conditions NotBefore="2020-04-19T06:10:08Z" NotOnOrAfter="2020-04-19T06:30:08Z">
<saml:AudienceRestriction>
<saml:Audience>https://icmhub02.hk.standardchartered.com:449/SECUI/saml/SSO</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2020-04-19T06:20:03Z" SessionIndex="s22bba53ba59b819b9a3ed009de4e7c74537d87c13"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion></samlp:Response>;org.opensaml.common.SAMLException: NameID element must be present as part of the Subject in the Response message, please enable it in the IDP configuration
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:290)
at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:88)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:175)
at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:92)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:186)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:92)
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:77)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at
Code :
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter implements InitializingBean, DisposableBean {
private Timer backgroundTaskTimer;
private MultiThreadedHttpConnectionManager multiThreadedHttpConnectionManager;
public void init() {
this.backgroundTaskTimer = new Timer(true);
this.multiThreadedHttpConnectionManager = new MultiThreadedHttpConnectionManager();
}
public void shutdown() {
this.backgroundTaskTimer.purge();
this.backgroundTaskTimer.cancel();
this.multiThreadedHttpConnectionManager.shutdown();
}
@Autowired
private SAMLUserDetailsServiceImpl samlUserDetailsServiceImpl;
// Initialization of the velocity engine
@Bean
public VelocityEngine velocityEngine() {
return VelocityFactory.getEngine();
}
// XML parser pool needed for OpenSAML parsing
@Bean(initMethod = "initialize")
public StaticBasicParserPool parserPool() {
return new StaticBasicParserPool();
}
@Bean(name = "parserPoolHolder")
public ParserPoolHolder parserPoolHolder() {
return new ParserPoolHolder();
}
// Bindings, encoders and decoders used for creating and parsing messages
@Bean
public HttpClient httpClient() {
return new HttpClient(this.multiThreadedHttpConnectionManager);
}
// SAML Authentication Provider responsible for validating of received SAML
// messages
@Bean
public SAMLAuthenticationProvider samlAuthenticationProvider() {
SAMLAuthenticationProvider samlAuthenticationProvider = new SAMLAuthenticationProvider();
samlAuthenticationProvider.setUserDetails(samlUserDetailsServiceImpl);
samlAuthenticationProvider.setForcePrincipalAsString(false);
return samlAuthenticationProvider;
}
// Provider of default SAML Context
@Bean
public SAMLContextProviderImpl contextProvider() {
return new SAMLContextProviderImpl();
}
// Initialization of OpenSAML library
@Bean
public static SAMLBootstrap sAMLBootstrap() {
return new SAMLBootstrap();
}
// Logger for SAML messages and events
@Bean
public SAMLDefaultLogger samlLogger() {
SAMLDefaultLogger samlLogger = new SAMLDefaultLogger();
samlLogger.setLogAllMessages(true);
samlLogger.setLogErrors(true);
samlLogger.setLogMessagesOnException(true);
return samlLogger;
}
// SAML 2.0 WebSSO Assertion Consumer
@Bean
public WebSSOProfileConsumer webSSOprofileConsumer() {
return new WebSSOProfileConsumerImpl();
}
// SAML 2.0 Holder-of-Key WebSSO Assertion Consumer
@Bean
public WebSSOProfileConsumerHoKImpl hokWebSSOprofileConsumer() {
return new WebSSOProfileConsumerHoKImpl();
}
// SAML 2.0 Web SSO profile
@Bean
public WebSSOProfile webSSOprofile() {
return new WebSSOProfileImpl();
}
// SAML 2.0 Holder-of-Key Web SSO profile
@Bean
public WebSSOProfileConsumerHoKImpl hokWebSSOProfile() {
return new WebSSOProfileConsumerHoKImpl();
}
// SAML 2.0 ECP profile
@Bean
public WebSSOProfileECPImpl ecpprofile() {
return new WebSSOProfileECPImpl();
}
@Bean
public SingleLogoutProfile logoutprofile() {
return new SingleLogoutProfileImpl();
}
// Central storage of cryptographic keys
@Bean
public KeyManager keyManager() {
DefaultResourceLoader loader = new DefaultResourceLoader();
Resource storeFile = loader.getResource("classpath:/saml/samlKeystore.jks");
String storePass = "changeit";
Map<String, String> passwords = new HashMap<String, String>();
passwords.put("icmhub02.hk.standardchartered.com", "changeit");
String defaultKey = "icmhub02.hk.standardchartered.com";
return new JKSKeyManager(storeFile, storePass, passwords, defaultKey);
}
@Bean
public WebSSOProfileOptions defaultWebSSOProfileOptions() {
WebSSOProfileOptions webSSOProfileOptions = new WebSSOProfileOptions();
webSSOProfileOptions.setIncludeScoping(false);
webSSOProfileOptions.setBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
webSSOProfileOptions.setNameID("urn:oasis:names:tc:SAML:2.0:nameid-format:transient");
return webSSOProfileOptions;
}
// Entry point to initialize authentication, default values taken from
// properties file
@Bean
public SAMLEntryPoint samlEntryPoint() {
SAMLEntryPoint samlEntryPoint = new SAMLEntryPoint();
samlEntryPoint.setDefaultProfileOptions(defaultWebSSOProfileOptions());
return samlEntryPoint;
}
// Setup advanced info about metadata
@Bean
public ExtendedMetadata extendedMetadata() {
ExtendedMetadata extendedMetadata = new ExtendedMetadata();
extendedMetadata.setIdpDiscoveryEnabled(true);
extendedMetadata.setSigningAlgorithm("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
// extendedMetadata.setSignMetadata(true);
extendedMetadata.setEcpEnabled(true);
// extendedMetadata.setSigningKey("devammfa.uk.standardchartered.com1");
return extendedMetadata;
}
// IDP Discovery Service
@Bean
public SAMLDiscovery samlIDPDiscovery() {
SAMLDiscovery idpDiscovery = new SAMLDiscovery();
idpDiscovery.setIdpSelectionPath("/saml/discovery");
return idpDiscovery;
}
@Bean
@Qualifier("idp-ssocircle")
public ExtendedMetadataDelegate ssoCircleExtendedMetadataProvider() throws MetadataProviderException {
// String idpSSOCircleMetadataURL = "https://idp.ssocircle.com/meta-idp.xml";
// String idpSSOCircleMetadataURL =
// "https://devigmfa.hk.standardchartered.com:8443/openam/saml2/jsp/exportmetadata.jsp?entityid=ssohkidp&realm=/sso";
String idpSSOCircleMetadataURL = "https://devigmfa.hk.standardchartered.com:8443/openam/saml2/jsp/exportmetadata.jsp?entityid=ssohkidp&realm=/sso";
HTTPMetadataProvider httpMetadataProvider = new HTTPMetadataProvider(this.backgroundTaskTimer, httpClient(),
idpSSOCircleMetadataURL);
httpMetadataProvider.setParserPool(parserPool());
// httpMetadataProvider.getEntityDescriptor("https___hklvauapp175.hk.standardchartered.com_8583_SECUI_jaxrs_Authentication").getSPSSODescriptor(SAMLConstants.SAML20P_NS).setWantAssertionsSigned(false);
ExtendedMetadataDelegate extendedMetadataDelegate = new ExtendedMetadataDelegate(httpMetadataProvider,
extendedMetadata());
extendedMetadataDelegate.setMetadataRequireSignature(false);
extendedMetadataDelegate.setMetadataTrustCheck(false);
Set<String> keySet = new HashSet<String>();
keySet.add("devammfa.uk.standardchartered.com");
keySet.add("scb_inter");
keySet.add("devigmfa.hk.standardchartered.com");
keySet.add("scb_root");
keySet.add("devammfa.uk.standardchartered.com1");
keySet.add("icmhub02.hk.standardchartered.com");
extendedMetadataDelegate.setMetadataTrustedKeys(keySet);
backgroundTaskTimer.purge();
return extendedMetadataDelegate;
}
// IDP Metadata configuration - paths to metadata of IDPs in circle of trust
// is here
// Do no forget to call iniitalize method on providers
@Bean
@Qualifier("metadata")
public CachingMetadataManager metadata() throws MetadataProviderException {
List<MetadataProvider> providers = new ArrayList<MetadataProvider>();
providers.add(ssoCircleExtendedMetadataProvider());
return new CachingMetadataManager(providers);
}
// Filter automatically generates default SP metadata
@Bean
public MetadataGenerator metadataGenerator() {
MetadataGenerator metadataGenerator = new MetadataGenerator();
metadataGenerator.setEntityId("https://icmhub02.hk.standardchartered.com:449/SECUI/saml/SSO");
metadataGenerator.setEntityBaseURL("https://icmhub02.hk.standardchartered.com:449/SECUI");
metadataGenerator.setExtendedMetadata(extendedMetadata());
metadataGenerator.setIncludeDiscoveryExtension(false);
metadataGenerator.setKeyManager(keyManager());
Set<String> c = new HashSet<String>();
c.add("urn:oasis:names:tc:SAML:2.0:nameid-format:transient");
metadataGenerator.setNameID(c);
return metadataGenerator;
}
@Bean
SAMLContextProviderLB getLB() {
System.out.println("VISWAAAA");
SAMLContextProviderLB samlcontextroviderlb = new SAMLContextProviderLB();
samlcontextroviderlb.setScheme("https");
samlcontextroviderlb.setServerName("https://icmhub02.hk.standardchartered.com");
samlcontextroviderlb.setServerPort(449);
samlcontextroviderlb.setIncludeServerPortInRequestURL(false);
samlcontextroviderlb.setContextPath("/SECUI");
return samlcontextroviderlb;
}
// The filter is waiting for connections on URL suffixed with filterSuffix
// and presents SP metadata there
@Bean
public MetadataDisplayFilter metadataDisplayFilter() {
return new MetadataDisplayFilter();
}
// Handler deciding where to redirect user after successful login
@Bean
public SavedRequestAwareAuthenticationSuccessHandler successRedirectHandler() {
SavedRequestAwareAuthenticationSuccessHandler successRedirectHandler = new SavedRequestAwareAuthenticationSuccessHandler();
successRedirectHandler.setDefaultTargetUrl("/landing");
return successRedirectHandler;
}
// Handler deciding where to redirect user after failed login
@Bean
public SimpleUrlAuthenticationFailureHandler authenticationFailureHandler() {
SimpleUrlAuthenticationFailureHandler failureHandler = new SimpleUrlAuthenticationFailureHandler();
failureHandler.setUseForward(true);
failureHandler.setDefaultFailureUrl("/error");
return failureHandler;
}
@Bean
public SAMLWebSSOHoKProcessingFilter samlWebSSOHoKProcessingFilter() throws Exception {
SAMLWebSSOHoKProcessingFilter samlWebSSOHoKProcessingFilter = new SAMLWebSSOHoKProcessingFilter();
samlWebSSOHoKProcessingFilter.setAuthenticationSuccessHandler(successRedirectHandler());
samlWebSSOHoKProcessingFilter.setAuthenticationManager(authenticationManager());
samlWebSSOHoKProcessingFilter.setAuthenticationFailureHandler(authenticationFailureHandler());
return samlWebSSOHoKProcessingFilter;
}
// Processing filter for WebSSO profile messages
@Bean
public SAMLProcessingFilter samlWebSSOProcessingFilter() throws Exception {
getLB();
SAMLProcessingFilter samlWebSSOProcessingFilter = new SAMLProcessingFilter();
samlWebSSOProcessingFilter.setAuthenticationManager(authenticationManager());
samlWebSSOProcessingFilter.setAuthenticationSuccessHandler(successRedirectHandler());
samlWebSSOProcessingFilter.setAuthenticationFailureHandler(authenticationFailureHandler());
return samlWebSSOProcessingFilter;
}
@Bean
public MetadataGeneratorFilter metadataGeneratorFilter() {
return new MetadataGeneratorFilter(metadataGenerator());
}
// Handler for successful logout
@Bean
public SimpleUrlLogoutSuccessHandler successLogoutHandler() {
SimpleUrlLogoutSuccessHandler successLogoutHandler = new SimpleUrlLogoutSuccessHandler();
successLogoutHandler.setDefaultTargetUrl("/");
return successLogoutHandler;
}
// Logout handler terminating local session
@Bean
public SecurityContextLogoutHandler logoutHandler() {
SecurityContextLogoutHandler logoutHandler = new SecurityContextLogoutHandler();
logoutHandler.setInvalidateHttpSession(true);
logoutHandler.setClearAuthentication(true);
return logoutHandler;
}
// Filter processing incoming logout messages
// First argument determines URL user will be redirected to after successful
// global logout
@Bean
public SAMLLogoutProcessingFilter samlLogoutProcessingFilter() {
return new SAMLLogoutProcessingFilter(successLogoutHandler(), logoutHandler());
}
// Overrides default logout processing filter with the one processing SAML
// messages
@Bean
public SAMLLogoutFilter samlLogoutFilter() {
return new SAMLLogoutFilter(successLogoutHandler(), new LogoutHandler[] { logoutHandler() },
new LogoutHandler[] { logoutHandler() });
}
// Bindings
private ArtifactResolutionProfile artifactResolutionProfile() {
final ArtifactResolutionProfileImpl artifactResolutionProfile = new ArtifactResolutionProfileImpl(httpClient());
artifactResolutionProfile.setProcessor(new SAMLProcessorImpl(soapBinding()));
return artifactResolutionProfile;
}
@Bean
public HTTPArtifactBinding artifactBinding(ParserPool parserPool, VelocityEngine velocityEngine) {
return new HTTPArtifactBinding(parserPool, velocityEngine, artifactResolutionProfile());
}
@Bean
public HTTPSOAP11Binding soapBinding() {
return new HTTPSOAP11Binding(parserPool());
}
@Bean
public HTTPPostBinding httpPostBinding() {
return new HTTPPostBinding(parserPool(), velocityEngine());
}
@Bean
public HTTPRedirectDeflateBinding httpRedirectDeflateBinding() {
return new HTTPRedirectDeflateBinding(parserPool());
}
@Bean
public HTTPSOAP11Binding httpSOAP11Binding() {
return new HTTPSOAP11Binding(parserPool());
}
@Bean
public HTTPPAOS11Binding httpPAOS11Binding() {
return new HTTPPAOS11Binding(parserPool());
}
// Processor
@Bean
public SAMLProcessorImpl processor() {
Collection<SAMLBinding> bindings = new ArrayList<SAMLBinding>();
bindings.add(httpRedirectDeflateBinding());
bindings.add(httpPostBinding());
bindings.add(artifactBinding(parserPool(), velocityEngine()));
bindings.add(httpSOAP11Binding());
bindings.add(httpPAOS11Binding());
return new SAMLProcessorImpl(bindings);
}
/**
* Define the security filter chain in order to support SSO Auth by using SAML
* 2.0
*
* @return Filter chain proxy
* @throws Exception
*/
@Bean
public FilterChainProxy samlFilter() throws Exception {
List<SecurityFilterChain> chains = new ArrayList<SecurityFilterChain>();
chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/login/"), samlEntryPoint()));
chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/logout/**"), samlLogoutFilter()));
chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/metadata/**"),
metadataDisplayFilter()));
chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/SSO/**"),
samlWebSSOProcessingFilter()));
chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/SSOHoK/**"),
samlWebSSOHoKProcessingFilter()));
chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/SingleLogout/**"),
samlLogoutProcessingFilter()));
chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/discovery/**"), samlIDPDiscovery()));
return new FilterChainProxy(chains);
}
/**
* Returns the authentication manager currently used by Spring. It represents a
* bean definition with the aim allow wiring from other classes performing the
* Inversion of Control (IoC).
*
* @throws Exception
*/
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
/**
* Defines the web based security configuration.
*
* @param http
* It allows configuring web based security for specific http
* requests.
* @throws Exception
*/
@Override
protected void configure(HttpSecurity http) throws Exception {
http.httpBasic().authenticationEntryPoint(samlEntryPoint());
http.addFilterBefore(metadataGeneratorFilter(), ChannelProcessingFilter.class)
.addFilterAfter(samlFilter(), BasicAuthenticationFilter.class)
.addFilterBefore(samlFilter(), CsrfFilter.class);
http.authorizeRequests().antMatchers("/").permitAll().antMatchers("/saml/**").permitAll().antMatchers("/UI/**")
.permitAll().antMatchers("/css/**").permitAll().antMatchers("/img/**").permitAll().antMatchers("/js/**")
.permitAll().anyRequest().authenticated();
http.logout().disable(); // The logout procedure is already handled by SAML filters.
}
/**
}
Regards
Viswa..